In March of 2021, Virginia passed the Consumer Data Protection Act (CDPA) into law. With its passage, Virginia became the second state in the country—California being the first—to formally introduce legislation and requirements around user privacy.
In many ways, Virginia’s law is clearer than California’s, but with the CDPA’s passage, the data privacy requirements for companies doing business in the United States were significantly expanded. And, because of those expansions, you can’t assume you’re in compliance with the CDPA even if you’re compliant with California law.
While the CDPA won’t go into effect until January 1, 2023, if you have users in Virginia who access your site, you will be required to adhere to its standards. That’s why it’s so important that you start preparing for it now. By taking the time to come into compliance, you won’t run into issues down the road. So, to help you get ready, let’s walk through the main components of the law that apply to marketers and advertisers like you.
Overview of the CDPA
The first thing to understand about the CDPA is that it uses a controller/processor model. This simply means it outlines the responsibilities and privacy protection standards for data controllers (the party responsible for determining what personal information is being collected and how it is used) and processors (the party responsible for executing the processing of that information).
Essentially, the law gives Virginians rights around how controllers and processors collect and use their personal data. And, just to be clear, when the CDPA refers to “personal data,” it’s referring to any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include de-identified data or publicly available information, however.
The CDPA also provides a means to enforce controllers’ and processors’ compliance with the law. In short, if a processor or controller fails to comply with any provision of the CDPA, actions can be brought against them, and those actions can result in penalties of up to $7,500 for each violation.
General Rights Granted by the CDPA
Before we discuss what you need to know to remain compliant, let’s look at the general rights that the CDPA grants Virginia residents. For our purposes we’re going to limit the scope of this discussion to the rights related to marketing and advertising. First, the CDPA gives Virginians the right to confirm whether or not a controller is processing their personal data. It allows users to access any of their personal data that’s being accessed. And, it gives them the right to correct any inaccuracies in their personal data.
They also have a right to delete personal data, whether they’ve provided it themselves or the company obtains it another way. In other words, if you purchase third-party data and supplement your datasets with that information, then when a deletion request comes in, any information you have that’s linked with that individual must be deleted, regardless of the source.
Users also have the right to obtain a copy of their personal data in a portable, readily usable format. Finally, they have the right to opt out of the processing of their personal data specifically for a few different purposes, including targeted advertising.
Targeted Advertising Restrictions Under the CDPA
That right to opt out of having personal data used for targeted advertising is one of the provisions that will have the biggest impact on marketing and advertising strategies. As such, it’s worth a closer look.
The CDPA defines targeted advertising as “displaying advertisements to a consumer where the advertisement is selected based on personal data obtained from that consumer’s activities over time and across nonaffiliated websites or online applications to predict such consumer’s preferences or interests.”
Notably, targeted advertising does not include advertisements based on activities within a controller’s own websites or online applications; ads based on the context of a consumer’s current search query, visit to a website, or online application; ads directed to a consumer in response to their request for feedback or information; or personal data processed solely for measuring or reporting advertising performance, reach, or frequency.
What does this mean for you? First and foremost, as a marketer or advertiser, it’s very important that you give your users the ability to opt out of targeted advertising. If they do opt out, you must take steps to ensure that you don’t use any of their personal data to engage in any prohibited activities.
Operational Impacts of the CDPA
One of the key things to understand is that the CDPA does not give users the right to opt out of having their personal data collected. Instead, it gives them the right to opt out of what you do with that data. This may sound overly nuanced, but it’s a crucial point: you can collect personal data from a user, and use it for purposes that aren’t explicitly restricted.
That means you must have processes around how you collect and process data. Take the restrictions around targeted advertising, for example: realistically, the only personal data you can use for targeting an opted-out user is the first-party information you’ve collected about your users. And, since users can opt out of targeted advertising, finding ways to incentivize them to allow such activities will become increasingly important.
The CDPA also requires you to limit the collection of personal data to that which is adequate, relevant, and reasonably necessary in relation to the purposes that you’ve disclosed about why the data is processed. In other words, any personal data you collect has to be limited to what is absolutely necessary, and those purposes must be disclosed to the user.
That means you must be strategic upfront about what types of activities you’re doing from a marketing or advertising standpoint. You need to define your goals and determine what data is necessary to accomplish them. Then, you must set up processes to limit the scope of the processing accordingly.
This puts more of a burden on you than there has been in the past. To remain compliant, you need to be highly strategic, because you must be able to justify all the activities you’re doing for marketing and advertising.
Data Protection Assessment Requirements
There’s one more important thing you need to know to remain compliant with the CDPA: if you are collecting or processing personal data, you must establish, implement, and maintain the security of the data you collect. You must also perform “data protection assessments” anytime you process personal data for the purposes of targeted advertising.
At its core, the data protection assessment requires you to weigh the benefits of the activity against the risk to the consumer. This piece is critical, and in fact, if an action is brought against you, the Attorney General can request your assessment as part of the investigation.
In an investigation, the data protection assessment is your way to defend yourself. Notably, this requirement applies to processing activities created or generated after January 1, 2023. It is not retroactive.
Create Your Privacy Best Practices Now
As you can see, the CDPA ushers in some key differences between consumers’ privacy rights now versus their rights in the future. So, if you operate in Virginia or have users in Virginia, you need to start ramping up now to ensure you’re compliant when the law goes into effect in early 2023.
The CDPA codifies privacy best practices, from being strategic and purposeful around what data you collect and how you use it, to making sure you disclose your purposes to users and give them the option to opt out of various uses of their personal data.
My recommendation? Take 2022 to implement those best practices, so when the law goes fully into effect, you’re ready.